Home page logo

bugtraq logo Bugtraq mailing list archives

Java HTTP proxy vulnerability
From: Harmen van der Wal <harmwal () xs4all nl>
Date: 05 Mar 2002 02:32:24 +0100

Hash: SHA1

===Java HTTP proxy vulnerability===

   Reference  wal-01
   Version    1.0
   Date       March 05, 2002

===Cross references

   Sun Security Bulletin               #00216
   Microsoft Security Bulletin       MS02-013

   Vulnerability identifier     CAN-2002-0058 (under review)


   Java, networking, HTTP
   Web browsers, applets 
   Unchecked network access, HTTP proxy connection hijacking

===Abstract problem description

The Java security model is designed to allow code from an untrusted
source, usually web applets, to be safely executed.

An applet could do irregular, unchecked HTTP requests.

Network access restrictions that apply, can be bypassed.
Only systems that have a HTTP proxy configured can be vulnerable.

One particular nasty exploit is where a remote server, aided by a
hostile applet, hijacks a browsers persistent HTTP connection to its
configured HTTP proxy.

===Affected software & patch availability; vendor bulletins


       Bulletin Number:  #00216
       Date:             March 4, 2002
       Title:            HttpURLConnection
       (At the time of this writing bulletin 216 was not available on
       the website yet.)


       Microsoft Security Bulletin  MS02-013
       Java Applet Can Redirect Browser Traffic
       Originally posted: March 04, 2002
       (URL is wrapped, please fix.)

        Sun JVM (Java Virtual Machine) Issue

===Vendor contact
Shortly after I, more or less by coincidence, discovered the issue, I
reported it to Sun on April 07, 2001. They communicated it to their
Java licensees, and coordinated a synchronized response.

   =Free Java implementations
I audited both Kaffe and GNU Classpath class libraries, and to the
best of my knowledge, they are not vulnerable to this issue. Anyone
out there developing a free(TM) Java, please contact me if you have
questions or concerns, and I will be happy to assist you in any way I

===Disclosure policy
I do not plan to release details of the vulnerability, that could make
it easier for crackers to get exploits, before a three month grace
period has expired. Customers should not to assume that the lack of
vulnerability details at this time will prevent the creation of
exploit programs.

===Detailed problem description
No details are provided at this time.
See Disclosure policy.

I supplied Sun with a PoC-exploit, and they passed it on to other
vendors. No further distribution is expected.

===Software I tested/audited myself.
Sun/Blackdown         1.1.7/8, 1.2.2, 1.3.0/1   linux/win32
Netscape 4.61         default Java Runtime      linux
MSIE 5.0              default Java Runtime      win32
HotJava Browser 3.0
Kaffe 1.06
GNU Classpath 0.03

Thanks to the vendors for addressing the issue. Special thanks to
Sun, in particular Chok Poh, for coordinating.

===Disclaimer & Copying
Copying in whole and quoting parts permitted.

Version 1.0 is the first release of this document.
Updates    http://www.xs4all.nl/~harmwal/issue/wal-01.txt

Author     Harmen van der Wal
Mail       harmwal () xs4all nl
PGP        http://www.xs4all.nl/~harmwal/harmen.pgp.txt


Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Harmen van der Wal - http://www.xs4all.nl/~harmwal/

  By Date           By Thread  

Current thread:
  • Java HTTP proxy vulnerability Harmen van der Wal (Mar 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]